[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v3 5/5] x86/MSI: drop workaround for insecure Dom0 kernels
Considering that - the workaround is expensive (iterating through the entire P2M space of a domain), - the planned elimination of the expensiveness (by propagating the type change step by step to the individual P2M leaves) wouldn't address the IOMMU side of things (as for it to obey to the changed permissions the adjustments must be pushed down immediately through the entire tree) - the proper solution (PHYSDEVOP_msix_prepare) should by now be implemented by all security conscious Dom0 kernels remove the workaround, killing eventual guests that would be known to become a security risk instead. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -770,7 +770,7 @@ static void ept_change_entry_type_global return; BUG_ON(p2m_is_grant(ot) || p2m_is_grant(nt)); - BUG_ON(ot != nt && (ot == p2m_mmio_direct || nt == p2m_mmio_direct)); + BUG_ON(p2m_is_mmio(ot) || p2m_is_mmio(nt)); ept_change_entry_type_page(_mfn(ept_get_asr(ept)), ept_get_wl(ept), ot, nt); --- a/xen/arch/x86/msi.c +++ b/xen/arch/x86/msi.c @@ -825,32 +825,22 @@ static int msix_capability_init(struct p msix->pba.last) ) WARN(); - if ( dev->domain ) - p2m_change_entry_type_global(dev->domain, - p2m_mmio_direct, p2m_mmio_direct); - if ( desc && (!dev->domain || !paging_mode_translate(dev->domain)) ) + if ( desc ) { - struct domain *d = dev->domain; + struct domain *currd = current->domain; + struct domain *d = dev->domain ?: currd; - if ( !d ) - for_each_domain(d) - if ( !paging_mode_translate(d) && - (iomem_access_permitted(d, msix->table.first, - msix->table.last) || - iomem_access_permitted(d, msix->pba.first, - msix->pba.last)) ) - break; - if ( d ) - { - if ( !is_hardware_domain(d) && msix->warned != d->domain_id ) - { - msix->warned = d->domain_id; - printk(XENLOG_ERR - "Potentially insecure use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n", - seg, bus, slot, func, d->domain_id); - } - /* XXX How to deal with existing mappings? */ - } + if ( !is_hardware_domain(currd) || d != currd ) + printk("%s use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n", + is_hardware_domain(currd) + ? XENLOG_WARNING "Potentially insecure" + : XENLOG_ERR "Insecure", + seg, bus, slot, func, d->domain_id); + if ( !is_hardware_domain(d) && + /* Assume a domain without memory has no mappings yet. */ + (!is_hardware_domain(currd) || d->tot_pages) ) + domain_crash(d); + /* XXX How to deal with existing mappings? */ } } WARN_ON(msix->nr_entries != nr_entries); Attachment:
x86-MSI-drop-workaround.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |